Skip to end of metadata
Go to start of metadata

What happened:

Apple recently released updates for iOS and OS X which address a critical vulnerability affecting encrypted communications.  This vulnerability could allow an attacker to eavesdrop on connections between you and other parties, disclose personal information or install malicious software.  All users of iOS and OS X Mavericks are advised to install the latest system updates as soon as possible.

Who is affected:

iOS

Any device or computer running iOS previous to 7.0.6 (or 6.1.6) when communicating over SSL/TLS with any application that uses Apple's secure transport framework (this includes Safari, Mail, Software Update and many more).

An update for iOS has been released.  More details here:

http://support.apple.com/kb/HT6147

The update for iOS 6 is available only for the iPhone 3GS and 4th generation iPods. The iPhone 4 and 4S, which are capable of running iOS 7, are only offered iOS 7.0.6 to address the SSL/TLS bug, even if they are running iOS 6.

Help on updating your iOS device:  http://support.apple.com/kb/HT4623

OS X

Any device or computer running OS X 10.9 prior to 10.9.2 when communicating over SSL/TLS with any application that uses Apple's secure transport framework (this includes Safari, Mail, Software Update and many more).  While the SSL vulnerability was first introduced to iOS in 2012, it only affects Macs running OS X 10.9.  Lion and Mountain Lion users are not affected.

An update for OS X has been released for Mavericks (10.9).  More details here:

http://support.apple.com/kb/HT6150

Help on updating your OS X system: http://support.apple.com/kb/HT1338

What to do:

You should update your iOS devices (iPhones, iPads and iPod touches) and OS X Mavericks (10.9) machines as soon as possible from a trusted network.  Because the update affects the trust between your device and others (including Apple's update servers), you should not perform software update using a un-trusted network (like a coffee shop, etc.).

Contact your IT support person or the IT helpdesk for assistance with installing and confirming the correct updates.

Questions:

For other questions, contact security@lbl.gov

Resources:

http://support.apple.com/kb/HT6147
http://support.apple.com/kb/HT6150
http://www.wired.com/threatlevel/2014/02/gotofail/
http://blog.sfgate.com/techchron/2014/02/24/apples-massive-goto-fail-fixed-in-ios-but-not-in-os-x/
http://www.zdnet.com/apple-and-the-ssltls-bug-open-questions-7000026628/
https://www.imperialviolet.org/2014/02/22/applebug.html